Experiencing a Security Breach?

24 Hour Hotline: +1 (866) 659-9097 Option 5

General

+1 (312) 873-7500

Monday - Friday 8:00 AM - 6:00 PM CT (UTC -6)

Sales

Contact a Trustwave solution specialist.

+1 (888) 878-7817

Monday - Friday 8:30 AM - 5:30 PM CT (UTC -6)

Loading...

Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Endless Evasion Racing Game

In the past year we have been exploring the Magnitude Exploit Kit - one of the major actors in the cybercriminal scene. Like most of the modern exploit kits Magnitude is comprised of several layers in order to decrease the chances of getting exposed by security vendors. In this blog we will show a recent development in Magnitude Exploit Kit which adds another layer of evasion.

Figure 1: Magnitude architecture

In a previous blog post which dealt with Magnitude, we described the architecture of Magnitude exploit kit. Even though the architecture of the exploit kit is complex and fairly solid, Magnitude didn't put much effort into hiding its landing page, which could be easily detected by most of the security vendors (especially given the unique URL patterns Magnitude uses). Recently, we have noticed that the author of the Magnitude Exploit Kit has added an additional layer of evasion.

Following is a screenshot from the exploitation flow of Magnitude:

Figure 2: Magnitude flow

The referrer of the Magnitude exploit kit here was 1deposit[dot]com.

When browsing directly to the website, the user gets to a High-Yield Investment Program (HIYP) Ponzi scheme website.

This is the content you see when browsing directly to the site without a referrer:

Figure 3: Direct access to 1deposit.com

At first glance the website looks legit but when we started digging a bit more we found that it's just a mirror of the original HYIP website 9deposit.com. By having a legitimate-looking interface (although the HYIP content), it reduces the chances of being marked as malicious.

When browsing with any random referrer the user is redirected to "bing.com", once more hiding the true nature of this site.

Only when browsing with the original "referer" we are redirected to the landing page of Magnitude: It appears that the "Gateway server" of Magnitude redirects a filtered traffic to the landing page, and accepting traffic only from its malvertising campaigns driven by smytrafficfilter[dot]com

After analyzing the obfuscated code above (on "1deposit[dot]com" a.k.a Gateway server) we found the following checks:

Figure 5: De-obfuscated code

The code above performs 2 types of checks to ensure that the machine is indeed a potential victim.

The checks are using CVE-2013-7331 in two stages:

The first check uses an Image object to test whether a certain application exists by calling the local path of the application using the "src" attribute. In case the "onload" event fires it means that the path to the file exists and that the application is installed locally, thus the redirection to the landing page will not take place.

The script looks for for the following large number of paths (applications):

Looking at the list one can clearly see that some of these checks are meant to avoid users with security products that will likely block exploitation attempts, while others are meant to avoid security researchers by looking for virtualization solutions and applications commonly used in their research process.

The second check looks for the existence of various Kaspersky ActiveX's as a sign of a local installation of that AV:

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.1

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.4_5_0.1

This technique is used by most of the exploit kits to keep low profile and avoid detection. However, what makes this variant unique is that unlike other EKs, which integrate the filtering tests inside their landing pages, Magnitude decided to put the tests one step earlier, so that if the target machine fails any of these tests you will never get to any of Magnitude's real servers or exploits.

It's interesting to see the different ways in which exploit kit developers choose to cope with security mechanisms. While most exploit kits are making efforts to look more like legitimate web applications, Magnitude's heavy use of its URL structure is probably at least part of the reason why they chose to take a different approach and try to avoid exposing such URLs when possible.

Looking back at our telemetry we found a few more domains that were similarly leading to Magnitude:

1deposit[dot]info, 1stdeposit[dot]org, 1stdeposit[dot]me

This blog post was co-authored by Daniel Chechik and Rami Kogan.

Trustwave Secure Web Gateway protects customers against the Magnitude Exploit Kit including from this most recent version.